/*
 * ExecutionExplorer.h
 * NtTrace Analyzer
 * @author Gregoire JACOB (gregoire.jacob@orange-ftgroup.com)
 * @date 02/09/2008
 * @version 1.0
 * Parse process trace and analyse the different calls
 * to monitored functions as well as their arguments
 */

//Monitored system functions
/*Generic operations******************/
#define	CLOSE		"NtClose"

/*File operations*********************/
#define OPENF1		"NtOpenFile"
#define	OPENF2		"NtCreateSection"
#define CREATEF1	"NtCreateFile"
#define DELETEF1	"NtDeleteFile"
#define EXECF1		"NtCreateProcessEx"
#define READF1		"NtReadFile"
#define READF2		"NtReadFileScatter"
#define READF3		"NtMapViewOfSection"
#define WRITEF1		"NtWriteFile"
#define WRITEF2		"NtWriteFileGather"

/*Registry operations*****************/
#define	OPENR1		"NtOpenKey("	//( to avoid NtOpenKeyedEvent
//#define	OPENR2		"NtEnumerateKey"
#define	CREATER1	"NtCreateKey"
#define DELETER1	"NtDeleteKey"
#define READR1		"NtQueryValueKey"
#define WRITER1		"NtSetValueKey"

/*Network operations********************/
#define RWN1		"NtDeviceIOControlFile"
#define IOCTL_AFD_RECV			0x00012017
#define IOCTL_AFD_RECV_DATAGRAM 0x0001201B
#define IOCTL_AFD_SEND			0x0001201F
#define IOCTL_AFD_SEND_DATAGRAM 0x00012023


/**
 * processLine()
 * @param the log file receiving the translated data
 * @param the current trace typing structure
 * @param the current line to analyze
 * Analyzes a given line
 */
void processLine(FILE * logf, struct TYPING * types, char * line);


/**
 * monitorFileControl()		monitorRegControl()		monitorNetworkControl()
 * monitorFileIO()			monitorRegIO()			monitorNetworkIO()	
 * @param the typing structure containing the identified objects
 * @param the line to monitor
 * @param the returned first object of the operation
 * @param the returned second object of the operation
 * @return the binary code of the detected system call otherwise 0
 */
unsigned long monitorFileControl(struct TYPING * types, char * line, int * obj1);
unsigned long monitorFileIO(struct TYPING * types, char * line, int * obj1, int * obj2);
unsigned long monitorRegControl(struct TYPING * types, char * line, int * obj1);
unsigned long monitorRegIO(struct TYPING * types, char * line, int * obj1, int * obj2);
unsigned long monitorNetworkControl(struct TYPING * types, char * line, int * obj1);
unsigned long monitorNetworkIO(struct TYPING * types, char * line, int * obj1, int * obj2);

/**
 * formatLogEntries()
 * @param the log file receiving the translated data
 * @param the typing structure containing the identified objects
 * @param the current operation to register
 * @param the first object of the operation
 * @param the second object of the operation
 * Format the operation and objects in the right format to be written down in
 * the log file. Seqeunces of identical operation are formatted as loops.
 */
void formatLogEntries(FILE * logf, struct TYPING * types,
					unsigned long operation, int obj1, int obj2);
void printLogEntry(FILE * logf, struct TYPING * types,
					unsigned long operation, int obj1, int obj2);